refactor testing

server/api/auth/config.get.js

@@ -1,3 +1,3 @@
-import { getAuthConfig } from '../../utils/authConfig.js'
+import { getAuthConfig } from '../../utils/oidc.js'
 
 export default defineEventHandler(() => getAuthConfig())

server/api/auth/login.post.js

@@ -1,7 +1,7 @@
 import { setCookie } from 'h3'
 import { getDb } from '../../utils/db.js'
 import { verifyPassword } from '../../utils/password.js'
-import { getSessionMaxAgeDays } from '../../utils/session.js'
+import { getSessionMaxAgeDays } from '../../utils/constants.js'
 
 export default defineEventHandler(async (event) => {
   const body = await readBody(event)
@@ -15,10 +15,10 @@ export default defineEventHandler(async (event) => {
   if (!user || !user.password_hash || !verifyPassword(password, user.password_hash)) {
     throw createError({ statusCode: 401, message: 'Invalid credentials' })
   }
-  
+
   // Invalidate all existing sessions for this user to prevent session fixation
   await run('DELETE FROM sessions WHERE user_id = ?', [user.id])
-  
+
   const sessionDays = getSessionMaxAgeDays()
   const sid = crypto.randomUUID()
   const now = new Date()

server/api/auth/oidc/authorize.get.js

@@ -1,5 +1,5 @@
-import { getAuthConfig } from '../../../utils/authConfig.js'
 import {
+  getAuthConfig,
   getOidcConfig,
   getOidcRedirectUri,
   createOidcParams,

server/api/auth/oidc/callback.get.js

@@ -6,7 +6,7 @@ import {
   exchangeCode,
 } from '../../../utils/oidc.js'
 import { getDb } from '../../../utils/db.js'
-import { getSessionMaxAgeDays } from '../../../utils/session.js'
+import { getSessionMaxAgeDays } from '../../../utils/constants.js'
 
 const DEFAULT_ROLE = process.env.OIDC_DEFAULT_ROLE || 'member'
 
@@ -76,7 +76,7 @@ export default defineEventHandler(async (event) => {
 
   // Invalidate all existing sessions for this user to prevent session fixation
   await run('DELETE FROM sessions WHERE user_id = ?', [user.id])
-  
+
   const sessionDays = getSessionMaxAgeDays()
   const sid = crypto.randomUUID()
   const now = new Date()

server/api/live/webrtc/create-consumer.post.js

@@ -15,12 +15,12 @@ export default defineEventHandler(async (event) => {
   if (!session) {
     throw createError({ statusCode: 404, message: `Session not found: ${sessionId}` })
   }
-  
+
   // Authorization check: only session owner or admin/leader can consume
   if (session.userId !== user.id && user.role !== 'admin' && user.role !== 'leader') {
     throw createError({ statusCode: 403, message: 'Forbidden' })
   }
-  
+
   if (!session.producerId) {
     throw createError({ statusCode: 404, message: 'No producer available for this session' })
   }

server/api/me/avatar.delete.js

@@ -6,13 +6,13 @@ import { requireAuth } from '../../utils/authHelpers.js'
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   if (!user.avatar_path) return { ok: true }
-  
+
   // Validate avatar path to prevent path traversal attacks
   const filename = user.avatar_path
-  if (!filename || !/^[a-f0-9-]+\.(jpg|jpeg|png)$/i.test(filename)) {
+  if (!filename || !/^[a-f0-9-]+\.(?:jpg|jpeg|png)$/i.test(filename)) {
     throw createError({ statusCode: 400, message: 'Invalid avatar path' })
   }
-  
+
   const path = join(getAvatarsDir(), filename)
   await unlink(path).catch(() => {})
   const { run } = await getDb()

server/api/me/avatar.get.js

@@ -8,13 +8,13 @@ const MIME = Object.freeze({ jpg: 'image/jpeg', jpeg: 'image/jpeg', png: 'image/
 export default defineEventHandler(async (event) => {
   const user = requireAuth(event)
   if (!user.avatar_path) throw createError({ statusCode: 404, message: 'No avatar' })
-  
+
   // Validate avatar path to prevent path traversal attacks
   const filename = user.avatar_path
-  if (!filename || !/^[a-f0-9-]+\.(jpg|jpeg|png)$/i.test(filename)) {
+  if (!filename || !/^[a-f0-9-]+\.(?:jpg|jpeg|png)$/i.test(filename)) {
     throw createError({ statusCode: 400, message: 'Invalid avatar path' })
   }
-  
+
   const path = join(getAvatarsDir(), filename)
   const ext = filename.split('.').pop()?.toLowerCase()
   const mime = MIME[ext] ?? 'application/octet-stream'

server/api/me/avatar.put.js

@@ -34,13 +34,13 @@ export default defineEventHandler(async (event) => {
   if (file.data.length > MAX_SIZE) throw createError({ statusCode: 400, message: 'File too large' })
   const mime = file.type ?? ''
   if (!ALLOWED_TYPES.includes(mime)) throw createError({ statusCode: 400, message: 'Invalid type; use JPEG or PNG' })
-  
+
   // Validate file content matches declared MIME type
   const actualMime = validateImageContent(file.data)
   if (!actualMime || actualMime !== mime) {
     throw createError({ statusCode: 400, message: 'File content does not match declared type' })
   }
-  
+
   const ext = EXT_BY_MIME[actualMime] ?? 'jpg'
   const filename = `${user.id}.${ext}`
   const dir = getAvatarsDir()

server/api/pois.post.js

@@ -1,6 +1,6 @@
 import { getDb } from '../utils/db.js'
 import { requireAuth } from '../utils/authHelpers.js'
-import { POI_ICON_TYPES } from '../utils/poiConstants.js'
+import { POI_ICON_TYPES } from '../utils/validation.js'
 
 export default defineEventHandler(async (event) => {
   requireAuth(event, { role: 'adminOrLeader' })

server/api/pois/[id].patch.js

@@ -1,6 +1,6 @@
 import { getDb } from '../../utils/db.js'
 import { requireAuth } from '../../utils/authHelpers.js'
-import { POI_ICON_TYPES } from '../../utils/poiConstants.js'
+import { POI_ICON_TYPES } from '../../utils/validation.js'
 import { buildUpdateQuery } from '../../utils/queryBuilder.js'
 
 export default defineEventHandler(async (event) => {